April 8, 2014

Heartbleed Bug Threatens OpenSSL Encryption Service

This week computer security experts warned system administrators to patch a severe flaw in the software library that is now used by millions of websites to encrypt sensitive data and communications. This latest flaw is known as “Heartbleed,” and is reportedly contained in several versions of OpenSSL, which is a cryptographic library.

OpenSSL is one of those things that most people use every day, even if they don’t know it. OpenSSL enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption, which is used by most websites. The bug is officially referenced as CVE-2014-0160 and it makes it possible for attackers to recover up to 64 kilobytes of memory from the server or client computer running a vulnerable OpenSSL version.

On Tuesday the following information was posted about the Heartbleed Bug by security firm Codenomicon on a website donning the “Heartbleed Bug” moniker:

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

Researchers for Codenomicon tested their own services from an attacker’s perspective and were able to do so without leaving any trace. They made this “attack” without utilizing any privileged information or credentials and yet were able to “steal” the secret keys used for their X.509 certificates, user names and passwords, as well as instant messages, emails, business critical documents and other communications.

According to Codenomicon, “Operating systems that may have a vulnerable version of OpenSSL include Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2.”

As PC World reported, “OpenSSL also underpins two of the most widely used Web servers, Apache and nginx. The code library is also used to protect email servers, chat servers, virtual private networks and other networking appliances.”

TechCrunch also reported that this bug has been in OpenSSL for more than two years – “Since December 2011, OpenSSL versions 1.0.1 through 1.0.1f).”

“It appears that exploiting this bug leaves no trace in the server’s logs,” Greg Kumparak wrote for TechCrunch on Tuesday. “So there’s no easy way for a system administrator to know if their servers have been compromised; they just have to assume that they have been.”

Last week Nick Sullivan, a system engineer at content delivery network CloudFlare, patched the security flaw – but waited until Monday to announce the findings.

“This bug fix is a successful example of what is called responsible disclosure,” Sullivan said via a blog post on Monday. “Instead of disclosing the vulnerability to the public right away, the people notified of the problem tracked down the appropriate stakeholders and gave them a chance to fix the vulnerability before it went public. This model helps keep the Internet safe. A big thank you goes out to our partners for disclosing this vulnerability to us in a safe, transparent, and responsible manner. We will announce more about our responsible disclosure policy shortly.”